- 综合性科技类中文核心期刊
- 中国科技论文统计源期刊
- 中国科学引文数据库来源期刊
- 中国学术期刊文摘数据库(核心版)来源期刊
- 中国学术期刊综合评价数据库来源期刊
| Citation: |
WANG Dan, ZHAO Wenbing, DING Zhiming. Review of Detection for Injection Vulnerability of Web Applications[J]. Journal of Beijing University of Technology, 2016, 42(12): 1822-1832. DOI: 10.11936/bjutxb2016020026
|
To overcome the difficulties of prevention Web applications to be maliciously injected which are increased by all kinds of dynamic Web technologies applied, centered on SQL and XSS injection, the research progresses of Web application injection vulnerabilities detection in recent years were reviewed. Firstly, the classification and causes of the Web application injection security vulnerabilities were summarized; Then, the complexity of security vulnerabilities detection was analyzed; Thirdly, the key technologies of the existing detection approached, including analyzing and identifying the injection points, injection delectations by software analysis and testing, by symbolic execution, by taint analysis and models were elaborated; Finally, its future development direction was presented.
| [1] |
WASSERMANN SG.The essence of command injection attacks in Web applications[C]∥Proceedings of Conference of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. Charleston: ACM,2006:372-382. |
| [2] |
WASSERMANN SG,SUZ.Sound and precise analysis of Web applications for injection vulnerabilities[C]∥Conference on Programming Language Design and Implementation. San Diego: ACM,2007:2-41.
|
| [3] |
JIAOA,NUNON,MIGUEC,et al.Vulnerability discovery with attack injection[J].IEEE Transactions on Software Engineering,2010,36(3):357-370.
|
| [4] |
CHENX,ZHENGZ,YUQ,et al.Web service recommendation via exploiting location and QoS information[J].Parallel & Distributed Systems IEEE Transactions on,2014,25(7):1913-1924.
|
| [5] |
SCHOLTET,BALZAROID,ROBERTSONW,et al.An empirical analysis of input validation mechanisms in Web applications and languages[C]∥Proceedings of the 27th Annual ACM Symposium on Applied Computing. Trento : ACM,2012:1419-1426. |
| [6] |
AKIROGA. Core characteristics of Web 2.0 services [EB/OL].[2016-05-12]. http: ∥www. akiroga. com/core-characteristics-of-web-20-services. html#.
|
| [7] |
HALFONDW,ANAND S ORSO A. Precise interface identification to improve testing and analysis of Web applications[C]∥Proceedings of the 18th International Symposium on Software Testing and Analysis. Chicago: ACM,2009:285-296. |
| [8] |
THUMMALAPENTAS,LAKSHMI KV,SINHAS,et al.Guided test generation for Web applications[C]∥Proceedings of the International Conference on Software Engineering. San Francisco: IEEE,2013:162-171.
|
| [9] |
BALDUZZIM,GIMENEZ CT,BALZAROTTID,et al.Automated discovery of parameter pollution vulnerabilities in Web applications[C]∥Proceedings of Network and Distributed System Security Symposium. San Diego: ISOC,2011:1-10. |
| [10] |
ZHENGQ,WUZ,CHENGX,et al.Learning to crawl deep Web[J].Information Systems,2013,38(6):801-819.
|
| [11] |
ARTZIS,DOLBYJ,JENSENS,et al.A framework for automated testing of JavaScript Web applications[C]∥Proceedings of International Conference on Software Engineering. Honolulu: IEEE,2011:571-580.
|
| [12] |
VON DEURSEN MA,LENSELINKS.Crawling Ajax-based Web applications through dynamic analysis of user interface state changes[J].ACM Transactions on the Web,2012,6(1):3.
|
| [13] |
PRATEEKS,STEVEH,PONGSINP,et al.FLAX: systematic discovery of client-side validation vulnerabilities in rich Web applications[C]∥17th Annual Network and Distributed System Security Symposium. San Diego: ISOC,2010:1-17. |
| [14] |
Open Web Application Security Project. OWASP Top10-2013[R/OL]. [2016-03-03]. Maryland: OWASP,2013.http:∥www.owasp. org. cn/owasp-project/download/OWASPTop102013V1. 2. pdf.
|
| [15] |
BUEHRER GT,WEIDE BW,SIVILOTTI P A G. Using parse tree validation to prevent SQL injection attacks[C]∥Proceedings of the 5th International Workshop on Software Engineering and Middleware. Lisbon: ACM,2005:106-113.
|
| [16] |
CIAMPAA,VISAGGIO CA,DIPENTAM.A heuristic-based approach for detecting SQL-injection vulnerabilities in Web applications[C]∥Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems. Cape Town: IEEE,2010:43-49.
|
| [17] |
SALAS M IP,MARTINSE.Security testing methodology for vulnerabilities detection of XSS in Web services and WS-security[J].Electronic Notes in Theoretical Computer Science,2014,302(302):133-154.
|
| [18] |
ISMAILO,ETOHM,KADOBAYASHIY,et al.A proposal and implementation of automatic detection/collection system for cross-site scripting vulnerability[C]∥Proceedings of the 18th International Conference on Advanced Information Networking and Applications. Fukuoka: IEEE,2004:145-151.
|
| [19] |
BATESD,BARTHSA,JACKSONC.Regular expression considered harmful in client-side XSS filter[C]∥Proceedings of the 19th International World Wide Web Conference. Raleigh: W3C,2010:91-100.
|
| [20] |
APPELTD,NGUYEN CD,BRIAND LC,et al.Automated testing for SQL injection vulnerabilities: an input mutation approach[C]∥Proceedings of the 2014 International Symposium on Software Testing and Analysis. Bay Area: ACM,2014:259-269. |
| [21] |
JINX,HU XC,YING KL,et al.Code injection attacks on HTML5-based mobile apps: characterization, detection and mitigation[C]∥Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. Scottsdale: ACM,2014:66-77.
|
| [22] |
HALFOND W GJ,CHOUDHARY SR,ORSOA.Penetration testing with improved input vector identification[C]∥Proceedings of the 2nd International Conference on Software Testing, Verification and Validation. Piscataway: IEEE,2009:346-355.
|
| [23] |
BOZDAG ME,VAN DEURSENA.Crawling Ajax by inferring user interface state changes[C]∥Proceedings of the International Conference on Web Engineering. Yorktown Heights: IEEE,2008:122-134.
|
| [24] |
MCALLISTERS,KIRDAE,KRUEGELC.Leveraging user interactions for in-depth testing of Web applications[C]∥Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection. Cambridge: Springer,2008:191-210. |
| [25] |
RAGHAVANS,GARCIA-MOLINAH.Crawling the hidden Web[C]∥Proceedings of the 2001 International Conference on Very Large DataBases. Roma: VLDB,2001:129-138.
|
| [26] |
CHEN JM,WU CL.An automated vulnerability scanner for injection attack based on injection point[C]∥2010 International Computer Symposium. Tainan: IEEE,2010:113-118. |
| [27] |
VAN DEURSENA,MESBAHA,NEDERLOFA.Crawl-based analysis of Web applications: prospects and challenges[J].Science of Computer Programming,2015,97:173-180.
|
| [28] |
PARAMESHWARANI,BUDIANTOE,SHINDES,et al.Auto-patching DOM-based XSS at scale[C]∥Proceedings of the 10th Joint Meeting on Foundations of Software Engineering. Bergamo: ACM,2015:272-283.
|
| [29] |
HALFOND W GJ,CHOUDHARY SR,ORSOA.Improving penetration testing through static and dynamic analysis[C]∥Proceedings of the Second IEEE International Conference on Software Testing, Verification and Validation. West Sussex: John Wiley and Sons Ltd,2011:195-214.
|
| [30] |
HAOJ,MENDESE.Usage-based statistical testing of Web applications[C]∥Proceedings of the International Conference on Web Engineering. Como: Springer,2006:17-24.
|
| [31] |
AMALFITANOD,FASOLINOA,TRAMONTANAP.Reverse engineering finite state machines from rich Internet applications[C]∥2008 15th Working Conference on Reverse Engineering. Antwerp: IEEE,2008:69-73.
|
| [32] |
SHAHRIARH,HADDADH.Risk assessment of code injection vulnerabilities using fuzzy logic-based system[C]∥Proceedings of the 29th Annual ACM Symposium on Applied Computing. Gyeongju: ACM,2014:1164-1170. |
| [33] |
KAURN,KAURP.Mitigation of SQL injection attacks using threat modeling[J].ACM SIGSOFT Software Engineering Notes,2014,39(6):1-6.
|
| [34] |
VISHNU BA,JEVITHA KP.Prediction of cross-site scripting attack using machine learning algorithms[C] ∥Proceedings of the 2014 International Conference on Interdisciplinary Advances in Applied Computing. Amritapuri: ACM,2014:1-5.
|
| [35] |
SHEYKHKANLOO NM.Employing neural networks for the detection of SQL injection attack[C]∥Proceedings of the 7th International Conference on Security of Information and Networks. Glasgow: ACM,2014:318.
|
| [36] |
SHEYKHKANLOO NM.SQL-IDS: evaluation of SQL attack detection and classification based on machine learning techniques[C]∥Proceedings of the 8th International Conference on Security of Information and Networks. Sochi: ACM,2015:258-266.
|
| [37] |
ALKHALAFM,CHOUDHARY SR,FAZZINIYM,et al.ViewPoints: differential string analysis for discovering client and server-side input validation inconsistencies[C]∥International Symposium on Software Testing and Analysis. Minneapolis: ACM,2012:56-66. |
| [38] |
ZANEROS,CRISCIONEC.Masibty: an anomaly based intrusion prevention system for Web applications[C]∥Proceedings of Black Hat Europe. Amsterdam: Black Hat Briefings,2009:1-17.
|
| [39] |
GUPTAS,GUPTA BB.PHP-sensor: a prototype method to discover workflow violation and XSS vulnerabilities in PHP Web applications[C]∥Proceedings of the 12th ACM International Conference on Computing Frontiers. Ischia: ACM,2015:1-8.
|
| [40] |
LAM MS,MARTINM,LIVSHITSB,et al.Securing Web applications with static and dynamic information flow tracking[C]∥Proceedings of the 2008 ACM SIGPLAN Symposium on Partial Evaluation and Semantics Based Program Manipulation. New York: ACM,2008:3-12. |
| [41] |
NGUYEN-TUONGA,GUARNIERIS,GREENED,et al.Automatically hardening Web applications using precise tainting[C]∥Proceedings of the 20th IFIP International Information Security Conference. Chiba: Springer,2005:372-382.
|
| [42] |
SAXENAP,MOLNARD,LIVSHITSB.SCRIPTGARD: automatic context-sensitive sanitization for large-scale legacy Web applications[C]∥Proceedings of the 18th ACM Conference on Computer and Communications Security. Chicago: ACM,2011:601-614.
|
| [43] |
SHANNOND,HAJRAS,LEEA,et al.Abstracting symbolic execution with string analysis[C]∥Proceedings of the Testing: Academic and Industrial Conference Practice and Research Techniques. Windsor: IEEE,2007:13-22.
|
| [44] |
HALFOND WG,ORSOA.AMNESIA: analysis and monitoring for neutralizing SQL-injection attacks[C]∥International Conference on Automated Software Engineering. Long Beach: ACM,2005:174-183.
|
| [45] |
上海市软件评测中心有限公司. 关于Fortify [EB/OL].[2016-05-13]. http: ∥www. itesting. cn/index. php?_m=mod_article&_a=article_content&article_id=126.
|
| [46] |
深圳市九州安域科技有限公司. CodeSecure代码安全检测[EB/OL].[2016-05-13]. http: ∥www. mainway. net/chanpin/code_secure. html.
|
| [47] |
InformerTechnologies,Inc. Rational AppScan source edition[EB/OL].[2016-05-13]. http: ∥softadvice. informer. com/Rational_Appscan_Source_Edition. html.
|
| [48] |
JOVANOVICN,KRUEGELC,KIRDAE.Pixy: a static analysis tool for detecting Web application vulnerabilities[C]∥Proceedings of 2006 IEEE Symposium on Security and Privacy. Oakland: IEEE,2006:258-263. |
| [49] |
BISHTP,HINRICHST,SKRUPSKYN,et al.NoTamper: automatic blackbox detection of parameter tampering opportunities in Web applications[C]∥Proceedings of the ACM Conference on Computer and Communications Security. Chicago: ACM,2010:607-618.
|
| [50] |
MARTINM,LAM MS.Automatic generation of XSS and SQL injection attacks with goal-directed model checking[C]∥Proceedings of the 17th Conference on Security Symposium. San Jose: USENIX Association,2008:31-43. |
| [51] |
Hewlett Packard Enterprise Development LP. WebInspect 动态应用安全测试[EB/OL].[2016-05-13]. http: ∥www8. hp. com/cn/zh/software-solutions/asset/software-asset-viewer. html?asset=936485&module=1830243&docname=4AA1-5363ENW.
|
| [52] |
OWASP. Category: OWASP WebScarab Project[EB/OL].[2016-05-13]. https: ∥www. owasp. org/index. php/ Category: OWASP_WebScarab_Project.
|
| [53] |
SENK.DART: directed automated random testing[C]∥International Haifa Verification Conference on Hardware and Software: Verification and Testing. Israel: Springer-Verlag,2009:213-223.
|
| [54] |
CADARC,SENK.Symbolic execution for software testing: three decades later[J].ACM Communication,2013,56(2):82-90.
|
| [55] |
CADARC,GANESHV,PAWLOWSKI PM,et al.EXE: automatically generating inputs of death[C]∥ACM 13th Conference on Computer and Communication Security. New York: ACM,2006:322-335.
|
| [56] |
CADARC,DUNBARD,ENGLERD.KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs[C]∥8th USENIX Symposium on Operating Systems Design and Implementation. San Diego: USENIX Association,2008:209-224. |
| [57] |
ANANDS,PASAREANU CS,VISSERW.JPF-SE: a symbolic execution extension to Java pathfinder[C]∥Proceedings of the 13th International Conference on Tools and Algorithms for the Construction and Analysis of Systems. Berlin: Springer-Verlag,2007:134-138.
|
| [58] |
CHIPOUNOVV,KUZNETSOVV,CANDEAG.S2E: a platform for in-vivo multi-path analysis of software systems[J].ACM SIGARCH Computer Architecture News,2011,39(1):265-278.
|
| [59] |
黄强,曾庆凯.基于信息流策略的污点传播分析及动态验证[J].软件学报,2011,22(9):2036-2048.
HUANGQ,ZENG QK.Taint propagation analysis and dynamic verification with information flow policy[J].Journal of Software,2011,22(9):2036-2048. (in Chinese)
|
| [60] |
TRIPPO,PISTOLAM,FINK SJ,et al.TAJ: effective taint analysis of Web applications[C]∥Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation. New York: ACM,2009:87-97.
|
| [61] |
KIE<inline-formula><mml:mathxmlns="[C]∥Proceedings of 31st International Conference on Software Engineering. Washington, D C: IEEE, 2009: 199-209. http://www.w3.org/1998/Math/MathML" id="Mml1-1002-3054-42-12-1822"><mml:mtable frame="none" columnlines="none" rowlines="none"><mml:mtr><mml:mtd><mml:maligngroup/><mml:mrow><mml:mover><mml:mrow><mml:mi>Z</mml:mi></mml:mrow><mml:mrow><mml:mo>·</mml:mo></mml:mrow></mml:mover></mml:mrow></mml:mtd></mml:mtr></mml:mtable></mml:math></inline-formula>UN A, GUO P J, JAYARAMAN K, et al. Automatic creation of SQL injection and cross-site scripting attacks
|
| [62] |
NEWSOMEJ,SONGD.Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software[C]∥Proceedings of the Network and Distributed System Security Symposium. San Diego: ISOC,2005:720-724. |
| [63] |
CLAUSEJ,ORSOA.Penumbra: automatically identifying failure-relevant inputs using dynamic tainting[C]∥Proceedings of Symposium on Software Testing and Analysis. Chicago: ACM,2009:19-23. |
| [64] |
ALKHALAFM,BULTANT,GALLEGOS JL.Verifying client-side input validation functions using string analysis[C]∥Proceedings of the 2012 International Conference on Software Engineering. Zürich: IEEE,2012:947-957.
|
| [65] |
VOGTP,NENTWICHF,JOVANOVICHN,et al.Cross-site scripting prevention with dynamic data tainting and static analysis[C]∥Proceedings of Network and Distributed System Security Symposium. San Diego: ISOC,2007:28-37. |
| [66] |
ARMANDOA,CARBONEO,COMPAGNAU,et al.Model-checking driven security testing of Web-based applications[C]∥Proceedings of the Third International Conference on Software Testing, Verification and Validation Workshops. Paris : IEEE,2010:361-370.
|
| [67] |
GORANKOV.Logic in computer science: modelling and reasoning about systems[M]∥Logic in Computer Science:Modelling and Reasoning About Systems. Cambridge: Cambridge University Press,2004:117-120.
|
| [68] |
缪淮扣,陈圣波,曾红卫.基于模型的Web 应用测试[J].计算机学报,2011,34(6):1012-1028.
MIAO HK,CHEN SB,ZENG HW.Model-based testing for Web application[J].Chinese Journal of Computers,2011,34(6):1012-1028. (in Chinese)
|
| [69] |
XIONG PL,PEYTONL.A model-driven penetration test framework for Web applications[C]∥Proceedings of the 2010 Eighth Annual International Conference on Privacy Security and Trust. Ottawa: IEEE,2010:173-180.
|
| [70] |
MARBACKA,DOH,HEK,et al.Security test generation using threat trees[C]∥Proceedings of the ICSE Workshop on Automation of Software Test. Vancouver: IEEE,2009:62-69.
|
| [71] |
刘强,殷建平,蔡志平,等.基于不确定图的网络漏洞分析方法[J].软件学报,2011,22(6):1398-1412.
LIUQ,YIN JP,CAI ZP,et al.Uncertain graph based method for network vulnerability analysis[J].Journal of Software,2011,22(6):1398-1412. (in Chinese)
|
| [72] |
BULTANT.Modeling interactions of Web software[C] ∥Proceedings of the 2nd International. Workshop on Automated Specification and Verification of Web Systems. Cyprus: IEEE,2006:45-52.
|
| [73] |
FELMETSGERV,CAVEDONL,KRUEGELC,et al.Toward automated detection of logic vulnerabilities in Web applications[C]∥Proceedings of the 19th USENIX Conference on Security. Washington, D C: USENIX Association,2010:143-160.
|
| [74] |
BENJAMINK,VON BOCHMANNG,JOURDAN GV,et al.Some modeling challenges when testing rich Internet applications for security[C]∥Proceedings of the 3rd International Conference on Software Testing, Verification and Validation Workshops. Paris: IEEE,2010:403-409.
|
| [75] |
JOVANOVICN,KRUEGELC,KIRDAE.Static analysis for detecting taint-style vulnerabilities in Web applications[J].Journal of Computer Security,2010,18(5):861-907.
|
| [76] |
HUANG JM,WANG HX,FUXMANA,et al.Toward query centric Web modeling and crawling[C]∥Proceedings of 2011 Very Large Database. Seattle: VLDB,2011:37.
|
| [1] | WANG Dan, ZHAO Wenbing, DING Zhiming. Review of Big Data Security Critical Technologies[J]. Journal of Beijing University of Technology, 2017, 43(3): 335-349. DOI: 10.11936/bjutxb2016020025 |
| [2] | XIANG Pan, ZHAO Yan, LIN Jiahao. Riding Comfort Analysis for Coupled Vehicle-track Systems With Uncertain Parameters[J]. Journal of Beijing University of Technology, 2016, 42(12): 1781-1786. DOI: 10.11936/bjutxb2016080037 |
| [3] | FANG Hao-bo, CHEN Ji-min. 3D Printing Based on Digital Light Processing Technology[J]. Journal of Beijing University of Technology, 2015, 41(12): 1775-1782. DOI: 10.11936/bjutxb2015070050 |
| [4] | SHI Zhao-yao, ZHANG Bin, LIN Jia-chun, ZHANG Hua. Half Century of Coordinate Metrology Technology——Evolution and Trends[J]. Journal of Beijing University of Technology, 2011, 37(5): 648-656. |
| [5] | WU Jian, LI Hai-liang, REN Yi, LIU Shi-bing. Research for 'Function Integration and Structure Micromation' of Spectrum Detection in μTAS Field Based on Laser Micro-technology[J]. Journal of Beijing University of Technology, 2010, 36(3): 425-428. |
| [6] | JIN Jiang. Improvement of the Comfort of Cement Concrete Pavement[J]. Journal of Beijing University of Technology, 2004, 30(1): 85-88. |
| [7] | HAN Jing-yun, LI Yan-sheng, CHU Guo-min, FEI Ren-yuan. Building of Ideal Dental Crowns Model Based on Reverse Engineering[J]. Journal of Beijing University of Technology, 2003, 29(2): 141-143. |
| [8] | HAN Jing-yun, CHU Guo-min, LI Yan-sheng, FEI Ren-yuan, LÜ Pei-jun, WANG Yong, YE Shao-you. Application of Reverse Engineering in Denture Design[J]. Journal of Beijing University of Technology, 2002, 28(4): 413-417. |
| [9] | Guo Hansheng. STM and STM-Based Atom Technology[J]. Journal of Beijing University of Technology, 1998, 24(3): 124-129. |
| [10] | Hua Younian, Zhou Hongzhi, Li Dagang. The CAT/CAD System for Advanced High Frequency Technology[J]. Journal of Beijing University of Technology, 1991, 17(3): 77-85,90. |
Supported by: Beijing Renhe Information Technology Co., Ltd. 
DownLoad: